UNPKG

cdk8s-plus-25

Version:

cdk8s+ is a software development framework that provides high level abstractions for authoring Kubernetes applications. cdk8s-plus-25 synthesizes Kubernetes manifests for Kubernetes 1.25.0

github.com/cdk8s-team/cdk8s-plus

cdk8s-team/cdk8s-plus

312 lines (311 loc) 9.65 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
import { ApiObject } from 'cdk8s'; import { Construct, IConstruct } from 'constructs'; import * as base from './base'; import * as k8s from './imports/k8s'; import * as pod from './pod'; /** * Properties for `NetworkPolicyPort`. */ export interface NetworkPolicyPortProps { /** * Specific port number. * * @default - all ports are allowed. */ readonly port?: number; /** * End port (relative to `port`). Only applies if `port` is defined. * Use this to specify a port range, rather that a specific one. * * @default - not a port range. */ readonly endPort?: number; /** * Protocol. * * @default NetworkProtocol.TCP */ readonly protocol?: NetworkProtocol; } /** * Describes a port to allow traffic on. */ export declare class NetworkPolicyPort { private readonly port?; private readonly endPort?; private readonly protocol?; /** * Distinct TCP ports */ static tcp(port: number): NetworkPolicyPort; /** * A TCP port range */ static tcpRange(startPort: number, endPort: number): NetworkPolicyPort; /** * Any TCP traffic */ static allTcp(): NetworkPolicyPort; /** * Distinct UDP ports */ static udp(port: number): NetworkPolicyPort; /** * A UDP port range */ static udpRange(startPort: number, endPort: number): NetworkPolicyPort; /** * Any UDP traffic */ static allUdp(): NetworkPolicyPort; /** * Custom port configuration. */ static of(props: NetworkPolicyPortProps): NetworkPolicyPort; private constructor(); /** * @internal */ _toKube(): k8s.NetworkPolicyPort; } /** * Configuration for network peers. * A peer can either by an ip block, or a selection of pods, not both. */ export interface NetworkPolicyPeerConfig { /** * The ip block this peer represents. */ readonly ipBlock?: NetworkPolicyIpBlock; /** * The pod selector this peer represents. */ readonly podSelector?: pod.PodSelectorConfig; } /** * Describes a peer to allow traffic to/from. */ export interface INetworkPolicyPeer extends IConstruct { /** * Return the configuration of this peer. */ toNetworkPolicyPeerConfig(): NetworkPolicyPeerConfig; /** * Convert the peer into a pod selector, if possible. */ toPodSelector(): pod.IPodSelector | undefined; } /** * Describes a rule allowing traffic from / to pods matched by a network policy selector. */ export interface NetworkPolicyRule { /** * The ports of the rule. * * @default - traffic is allowed on all ports. */ readonly ports?: NetworkPolicyPort[]; /** * Peer this rule interacts with. */ readonly peer: INetworkPolicyPeer; } /** * Describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is * allowed to the pods matched by a network policy selector. * The except entry describes CIDRs that should not be included within this rule. */ export declare class NetworkPolicyIpBlock extends Construct implements INetworkPolicyPeer { /** * A string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64". */ readonly cidr: string; /** * A slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64". * Except values will be rejected if they are outside the CIDR range. */ readonly except?: string[] | undefined; /** * Create an IPv4 peer from a CIDR */ static ipv4(scope: Construct, id: string, cidrIp: string, except?: string[]): NetworkPolicyIpBlock; /** * Any IPv4 address */ static anyIpv4(scope: Construct, id: string): NetworkPolicyIpBlock; /** * Create an IPv6 peer from a CIDR */ static ipv6(scope: Construct, id: string, cidrIp: string, except?: string[]): NetworkPolicyIpBlock; /** * Any IPv6 address */ static anyIpv6(scope: Construct, id: string): NetworkPolicyIpBlock; private constructor(); /** * @see INetworkPolicyPeer.toNetworkPolicyPeerConfig() */ toNetworkPolicyPeerConfig(): NetworkPolicyPeerConfig; /** * @see INetworkPolicyPeer.toPodSelector() */ toPodSelector(): pod.IPodSelector | undefined; /** * @internal */ _toKube(): k8s.IpBlock; } /** * Network protocols. */ export declare enum NetworkProtocol { /** * TCP. */ TCP = "TCP", /** * UDP. */ UDP = "UDP", /** * SCTP. */ SCTP = "SCTP" } /** * Default behaviors of network traffic in policies. */ export declare enum NetworkPolicyTrafficDefault { /** * The policy denies all traffic. * Since rules are additive, additional rules or policies can allow * specific traffic. */ DENY = "DENY", /** * The policy allows all traffic (either ingress or egress). * Since rules are additive, no additional rule or policies can * subsequently deny the traffic. */ ALLOW = "ALLOW" } /** * Describes how the network policy should configure egress / ingress traffic. */ export interface NetworkPolicyTraffic { /** * Specifies the default behavior of the policy when * no rules are defined. * * @default - unset, the policy does not change the behavior. */ readonly default?: NetworkPolicyTrafficDefault; /** * List of rules to be applied to the selected pods. * If empty, the behavior of the policy is dictated by the `default` property. * * @default - no rules */ readonly rules?: NetworkPolicyRule[]; } /** * Options for `NetworkPolicy.addEgressRule`. */ export interface NetworkPolicyAddEgressRuleOptions { /** * Ports the rule should allow outgoing traffic to. * * @default - If the peer is a managed pod, take its ports. Otherwise, all ports are allowed. */ readonly ports?: NetworkPolicyPort[]; } /** * Properties for `NetworkPolicy`. */ export interface NetworkPolicyProps extends base.ResourceProps { /** * Which pods does this policy object applies to. * * This can either be a single pod / workload, or a grouping of pods selected * via the `Pods.select` function. Rules is applied to any pods selected by this property. * Multiple network policies can select the same set of pods. * In this case, the rules for each are combined additively. * * Note that * * @default - will select all pods in the namespace of the policy. */ readonly selector?: pod.IPodSelector; /** * Egress traffic configuration. * * @default - the policy doesn't change egress behavior of the pods it selects. */ readonly egress?: NetworkPolicyTraffic; /** * Ingress traffic configuration. * * @default - the policy doesn't change ingress behavior of the pods it selects. */ readonly ingress?: NetworkPolicyTraffic; } /** * Control traffic flow at the IP address or port level (OSI layer 3 or 4), * network policies are an application-centric construct which allow you * to specify how a pod is allowed to communicate with various network peers. * * - Outgoing traffic is allowed if there are no network policies selecting * the pod (and cluster policy otherwise allows the traffic), * OR if the traffic matches at least one egress rule across all of the * network policies that select the pod. * * - Incoming traffic is allowed to a pod if there are no network policies * selecting the pod (and cluster policy otherwise allows the traffic), * OR if the traffic source is the pod's local node, * OR if the traffic matches at least one ingress rule across all of * the network policies that select the pod. * * Network policies do not conflict; they are additive. * If any policy or policies apply to a given pod for a given * direction, the connections allowed in that direction from * that pod is the union of what the applicable policies allow. * Thus, order of evaluation does not affect the policy result. * * For a connection from a source pod to a destination pod to be allowed, * both the egress policy on the source pod and the ingress policy on the * destination pod need to allow the connection. * If either side does not allow the connection, it will not happen. * * @see https://kubernetes.io/docs/concepts/services-networking/network-policies/#networkpolicy-resource */ export declare class NetworkPolicy extends base.Resource { /** * @see base.Resource.apiObject */ protected readonly apiObject: ApiObject; readonly resourceType: string; private readonly _podSelectorConfig; private readonly _egressRules; private readonly _ingressRules; private readonly _policyTypes; constructor(scope: Construct, id: string, props?: NetworkPolicyProps); /** * Allow outgoing traffic to the peer. * * If ports are not passed, traffic will be allowed on all ports. */ addEgressRule(peer: INetworkPolicyPeer, ports?: NetworkPolicyPort[]): void; /** * Allow incoming traffic from the peer. * * If ports are not passed, traffic will be allowed on all ports. */ addIngressRule(peer: INetworkPolicyPeer, ports?: NetworkPolicyPort[]): void; private createNetworkPolicyPeers; private configureDefaultBehavior; /** * @internal */ _toKube(): k8s.NetworkPolicySpec; } export declare function validatePeerConfig(peerConfig: NetworkPolicyPeerConfig): void;